Question posted in 
After 4 years of reliable operation, my PHP listener script started to fail from October 8th, 2019 onwards with the
Error – The request was aborted: Could not create SSL/TLS secure channel.
I have not changed anything on my server. The SSL certificate is a valid v3 from Lets Encrypt. TLS is 1.2.
I have been on support calls for hours with no resolution, other than them telling me that I need to install their certificates here: https://www.docusign.com/trust/compliance/public-certificates
The problem is that I don’t know how I would integrate that with my server, and my web host doesn’t know either. When asked, they are not able to explain it either.
The listener script on my server is fairly simple:
function guid() {
$uuid = '';
if (function_exists('com_create_guid')){
$uuid = com_create_guid();
// somehow the function com_create_guid includes {}, while our webservice
// doesn't. Here we are changing the format by taking those curly braces out.
$uuid = str_ireplace("{", "", $uuid );
$uuid = str_ireplace("}", "", $uuid );
} else {
mt_srand((double)microtime()*10000);//optional for php 4.2.0 and up.
$charid = strtoupper(md5(uniqid(rand(), true)));
$hyphen = chr(45);// "-"
$uuid = substr($charid, 0, 8).$hyphen
.substr($charid, 8, 4).$hyphen
.substr($charid,12, 4).$hyphen
.substr($charid,16, 4).$hyphen
.substr($charid,20,12);
}
return $uuid;
}
// Figure out the URL of this server
// NOTE: DocuSign only pushes status to HTTPS!
$postBackPath = empty($_SERVER['HTTPS']) ? 'http://' : 'https://';
$postBackPath .= ($_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI'] );
$postedXml = @file_get_contents('php://input');
if (!empty($_POST['post'])) {
// if this is a sample load
$xml = simplexml_load_file("post.sample") or die("Unable to load sample XML file!");
$xml->EnvelopeStatus->EnvelopeID = guid(); // here we replace the GUID so we have unique files
// using the curl library to get the post
$curl = curl_init();
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT ,30);
curl_setopt($curl, CURLOPT_TIMEOUT, 60);
curl_setopt($curl, CURLOPT_URL, $postBackPath);
curl_setopt($curl, CURLOPT_HEADER, array("Content-Type: application/xml"));
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $xml->asXML());
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_exec ( $curl );
curl_close ($curl);
}
else if(!empty($postedXml)) {
// see if this is a post to this page if it is then we have to save it.
$xml = simplexml_load_string($postedXml);
$post = $xml;
print 'Got Envelope ID: ' . $xml->EnvelopeStatus->EnvelopeID . '<br />';
}
After that code, it just parses data from the xml that I pass into my CRM.
On the Docusign Connect setup, I have the log enabled and require acknowledgement. All of the integration and security settings are unchecked (HMAC signature, Include basic authentication header, require mutual TLS, use SOAP interface, enable mutual TLS are all unchecked).
UPDATE: A response from my webhost assisting in this issue:
Hello again.
I took a look at the SSL you presently have installed for
sub.domain.com (you can see the info from Chrome browser) If you
click on the lock in the url bar and then click on Certificate >
Details > Version you (or docusign) can see that that cert is version
3 as they specified that you need.I’m not clear on where they think that you should install their
certificate though. The cert at the link provided is to cover
na2.docusign.net which is not hosted on your server so there’s no
place to install that that I’m aware of. You can verify that by
downloading the NA2 certificate from the link they provided:
https://www.docusign.com/trust/compliance/public-certificatesOpen the .cer file in the simplest text editor you have available and
paste the contents in here:
https://www.sslshopper.com/certificate-decoder.htmlThat will give you all the information about the certificate. Under
“Subject:” you’ll see CN = na2.docusign.net which means that it covers
their domain not yours.I’m afraid we’ll need more information from DocuSign to be able to
assist you. If this SSL were installed on your domain, it would fail
authenticity checks run by any browser connecting to your site which
isn’t going to instill any confidence for your visitors.
This was my impression as well, so I feel like we are misunderstanding how this certificate from Docusign would work in conjunction with the certificate we already have from Lets Encrypt.
Is this a coding issue?
I am using a very simple Docusign connect integration, which is just a php listener catching the XML from a completed envelope and parsing it so I can pass that to my CRM.
3
Answers
I was able to find this article: https://developers.docusign.com/esign-rest-api/guides/mutual-tls-apache2 and pass this to my server administrator. This was apparently had the missing info they needed to get it working. Not really an answer, but if you are struggling like I was, this will help steer you in the right direction.
see information on this page:
https://www.docusign.com/trust/compliance/public-certificates
“The renewed Connect certificates listed below are slated to be introduced into the DocuSign Service in the September 2019 – November 2019 timeframe. The ‘offer’ date specified below is the date the renewed certificate will be available for consumption and the ‘enforce’ date is when the renewed certificate will be the only option i.e. the current certificate will no longer be available for consumption.”
You would have to update the certificate from that page on your server to fix this.
I had the same issue today. after 5 hours digging into the internet, Here my change which resolved my issue:
+=+ all the update is related to the Haproxy certification setting, I added these three lines to the haproxy.conf file: